CVE-2022-49548
Published: 26 February 2025
Summary
CVE-2022-49548 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49548 is a vulnerability in the Linux kernel's BPF subsystem, specifically within the bpf_trampoline_get_progs() function. The issue arises because the cnt value used in the 'cnt >= BPF_MAX_TRAMP_PROGS' check excludes BPF_TRAMP_MODIFY_RETURN BPF programs. As a result, the number of attached BPF_TRAMP_MODIFY_RETURN programs to a trampoline can exceed BPF_MAX_TRAMP_PROGS, causing an array overflow during the assignment '*progs++ = aux->prog'. The progs array in the bpf_tramp_progs struct is limited to holding at most BPF_MAX_TRAMP_PROGS programs. This flaw is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by attaching an excessive number of BPF_TRAMP_MODIFY_RETURN programs to a BPF trampoline. This triggers the miscounted check, leading to the array overflow in bpf_trampoline_get_progs(). Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (high confidentiality impact), modification of system state (high integrity impact), and denial of service or system crashes (high availability impact), all with low attack complexity and no user interaction required.
Mitigation is provided through patches in the Linux kernel stable trees. Relevant commits include 32c4559c61652f24c9fdd5440342196fe37453bc, 4f8897bcc20b9ae44758e0572538d741ab66f0dc, 7f845de2863334bed4f362e95853f5e7bc323737, a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d, and e36452d5da6325df7c10cffc60a9e68d21e2606d, available at git.kernel.org/stable. Security practitioners should update affected Linux kernels to versions incorporating these fixes to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54684
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of the attached BPF_TRAMP_MODIFY_RETURN bpf…
more
programs in a trampoline can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in bpf_trampoline_get_progs() will cause progs array overflow as the progs field in the bpf_tramp_progs struct can only hold at most BPF_MAX_TRAMP_PROGS bpf programs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel array overflow in BPF trampoline allows low-priv user to achieve privilege escalation with high impact on confidentiality, integrity and availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the Linux kernel flaw via patches that fix the BPF trampoline program count check to prevent array overflow in bpf_trampoline_get_progs().
Prohibits or restricts unnecessary BPF trampoline functionality to prevent low-privilege attackers from attaching excessive BPF_TRAMP_MODIFY_RETURN programs.
Enables vulnerability scanning to identify the presence of CVE-2022-49548 in the Linux kernel BPF subsystem for prompt patching.